Memory Access Vulnerability in Apache Portable Runtime by The Apache Software Foundation
CVE-2017-12613

7.1HIGH

Key Information:

Vendor
Apache
Status
Apache Portable Runtime
Vendor
CVE Published:
24 October 2017

Summary

In the Apache Portable Runtime (APR) library versions up to 1.6.2, improper handling of invalid month values in the apr_time_exp*() or apr_os_exp_time*() functions can lead to out-of-bounds memory access. This may inadvertently expose sensitive data stored in the static heap or can result in program crashes. Applications using these functions with unvalidated external inputs are particularly at risk, potentially leading to information disclosure or denial of service issues.

Affected Version(s)

Apache Portable Runtime 1.6.2 and prior

References

https://lists.debian.org/debian-lts-announce/2017/11/msg0...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0316
vendor-advisoryx_refsource_REDHAT
https://svn.apache.org/viewvc?view=revision&revision=1807976
x_refsource_CONFIRM

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.